The group target unpatched Oracle WebLogic servers to gain access that they later hand off to third parties who deploy ransomware.

Dark Reading Staff, Dark Reading

August 5, 2021

1 Min Read

The Prophet Spider threat actor is running multiple campaigns in which attackers exploit Oracle WebLogic server flaws to access target environments then pass on their access to attackers who deploy ransomware.

Prophet Spider, which CrowdStrike researchers say has been active since at least May 2017, is adept in exploiting and operating in Windows and Linux environments. It usually breaches victims by compromising vulnerable Web servers, and typically gains initial access by exploiting public-facing applications.

Researchers noticed a recent trend in which Prophet Spider uses CVE-2020-14882 and CVE-2020-14750 to get a foothold into target environments. Both CVEs relate to path traversal vulnerabilities that enable an attacker to access the WebLogic administrative console, which then allows for unauthenticated remote code execution.

CrowdStrike notes "both vulnerabilities are essentially the same." The patch for CVE-2020-14882 was released in October 2020 but was bypassed soon after; the patch for CVE-2020-14750 fixed the problem "in a more comprehensive manner," they write in a blog post.

Prophet Spider has also been seen using older Oracle CVEs such as CVE-2016-0545, as well as gaining initial access via SQL injection. Researchers have not observed the group using phishing, brute forcing, malvertising, or drive-by downloads to gain initial access.

Researchers report at least two cases in which Prophet Spider infections have led to ransomware deployment, likely from different attack groups. The most likely explanation for the observed activity, they say, is Prophet Spider functioned as an access broker and likely granted access to Egregor and MountLocker ransomware operators in exchange for payment.

Read the full blog post for more details.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights